Closed Bug 346673 Opened 19 years ago Closed 19 years ago

firefox crashes on svg file [@ nsSVGCairoRectRegion::Combine]

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta2

People

(Reporter: wollez, Assigned: tor)

References

Details

(4 keywords)

Crash Data

Attachments

(7 files)

firefox crashes on that file
185.35 KB, application/xml
Details
reduced tescase
330 bytes, image/svg+xml
Details
testcase nocrash
318 bytes, image/svg+xml
Details
handle null region for base geometry
3.78 KB, patch
jwatt
: review+
bzbarsky
: superreview+
dbaron
: approval1.8.1+
Details | Diff | Splinter Review
diff -w version of above
3.12 KB, patch
Details | Diff | Splinter Review
Checkin version - with bz's suggested change.
3.78 KB, patch
dveditz
: approval1.8.0.7+
Details | Diff | Splinter Review
Checkin version for 1.8.0 branch
3.77 KB, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5 Build Identifier: Firefox/1.5.0.5 Hi, firefox crashes when I want to open that file locally: https://perswww.kuleuven.ac.be/~u0049353/svg/map_new_normal.svg It was created with inkscape, it also went through the svg validator at http://jiggles.w3.org/svgvalidator/ without problems Reproducible: Always Steps to Reproduce: i. e. drag and drop of the file on firefox Actual Results: firefox crashes completely Expected Results: it should display the graphic
WFM - Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060730 Minefield/3.0a1 - Build ID: 2006073004 Can you reproduce with a clean profile?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060728 BonEcho/2.0b1 TB21625269H TB21625324Q Incident ID: 21625269 Stack Signature nsSVGCairoRectRegion::Combine 247c0f2f Product ID Firefox2 Build ID 2006072803 Trigger Time 2006-07-31 08:01:42.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module firefox.exe + (0026f4a7) URL visited User Comments Since Last Crash 4538 sec Total Uptime 16800 sec Trigger Reason Access violation Source File, Line No. c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoRegion.cpp, line 120 Stack Trace nsSVGCairoRectRegion::Combine [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/renderer/src/cairo/nsSVGCairoRegion.cpp, line 120] nsSVGPathGeometryFrame::GetCoveredRegion [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGPathGeometryFrame.cpp, line 353] nsSVGPathGeometryFrame::PaintSVG [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGPathGeometryFrame.cpp, line 257] nsSVGGFrame::PaintSVG [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGGFrame.cpp, line 134] nsSVGOuterSVGFrame::Paint [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/svg/base/src/nsSVGOuterSVGFrame.cpp, line 845] nsContainerFrame::PaintChild [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 283] nsContainerFrame::PaintChildren [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsContainerFrame.cpp, line 228] nsHTMLContainerFrame::Paint [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLContainerFrame.cpp, line 84] CanvasFrame::Paint [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsHTMLFrame.cpp, line 385] PresShell::Paint [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp, line 5825] nsView::Paint [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 316] nsViewManager::RenderDisplayListElement [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1460] nsViewManager::RenderViews [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 1375] nsViewManager::Refresh [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 930] nsViewManager::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp, line 2047] HandleEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp, line 174] nsWindow::DispatchEvent [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1348] nsWindow::ProcessMessage [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 4564] nsWindow::WindowProc [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp, line 1536] USER32.dll + 0x8734 (0x77d18734) USER32.dll + 0x8816 (0x77d18816) USER32.dll + 0xb4c0 (0x77d1b4c0) USER32.dll + 0xb50c (0x77d1b50c) ntdll.dll + 0xeae3 (0x7c90eae3) USER32.dll + 0x8a10 (0x77d18a10) nsAppShell::Run [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp, line 159] nsAppStartup::Run [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152] main [c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp, line 61] kernel32.dll + 0x16d4f (0x7c816d4f)
Assignee: nobody → general
Severity: normal → critical
Component: General → SVG
Product: Firefox → Core
QA Contact: general → ian
Summary: firefox crashes on svg file → firefox crashes on svg file [@ nsSVGCairoRectRegion::Combine]
Version: unspecified → 1.8 Branch
In trunk there has also been a crash on this picture but it was repaired between 1.9a1_2006060908 and 1.9a1_2006060912: TB21626150K. I don't know if it has any connection with this bug. It was not repaired immediately: only the crash, the picture was still not displayed. So possibly this is a new case.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attached image reduced tescase
testcase i've reduced the file to a simple testcase, what i've observed is that if you have marker-start or marker-end on a shape that has also a fill="none" crashes, after removing either the fill or the marker it does not crash anymore, also any other value of fill does not cause a crash, oddly marker-mid does not crash at all.
Attached image testcase nocrash
this file is the same as the testcase, but with fill="none" removed. this does not crash.
Keywords: crash, testcase
Assignee: general → tor
Status: NEW → ASSIGNED
Attachment #231445 - Flags: review?(jwatt)
*** Bug 346707 has been marked as a duplicate of this bug. ***
Comment on attachment 231445 [details] [diff] [review] handle null region for base geometry r=jwatt
Attachment #231445 - Flags: review?(jwatt) → review+
Attachment #231445 - Flags: superreview?(bzbarsky)
Flags: blocking1.8.1?
Target Milestone: --- → mozilla1.8beta2
Comment on attachment 231445 [details] [diff] [review] handle null region for base geometry >Index: layout/svg/base/src/nsSVGPathGeometryFrame.cpp >+ nsISVGRendererRegion *retval = region.get(); >+ NS_IF_ADDREF(retval); >+ return retval; How about: nsISVGRendererRegion *retval = nsnull; region.swap(retval); return retval; ? Should be a tad faster....
Attachment #231445 - Flags: superreview?(bzbarsky) → superreview+
Attachment #231445 - Flags: approval1.8.1?
Attachment #231445 - Flags: approval1.8.0.6?
Comment on attachment 231445 [details] [diff] [review] handle null region for base geometry (Is the pointer coming from RegionMark a newly created object or a member? If the latter, are you sure that callers don't expect the object returned to be newly created.) a=dbaron on behalf of drivers. Please land on MOZILLA_1_8_BRANCH and mark fixed1.8.1 once you have done so.
Attachment #231445 - Flags: approval1.8.1? → approval1.8.1+
The object from RegionMark is newly allocated.
Checked in on MOZILLA_1_8_BRANCH.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: blocking1.8.1?
Keywords: fixed1.8.1
Resolution: --- → FIXED
Attachment #231445 - Flags: approval1.8.0.6? → approval1.8.0.7?
Blocks: 318379
Flags: blocking1.8.0.7+
Comment on attachment 231680 [details] [diff] [review] Checkin version - with bz's suggested change. approved for 1.8.0. branch, a=dveditz for drivers
Attachment #231680 - Flags: approval1.8.0.7+
Attachment #231445 - Flags: approval1.8.0.7?
Checked in on MOZILLA_1_8_0_BRANCH.
Keywords: fixed1.8.0.7
reduced testcase https://bugzilla.mozilla.org/attachment.cgi?id=231421&action=view should not crash browser Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1b2) Gecko/2006082203 BonEcho/2.0b2 verified 1.8.1b2 Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.7pre) Gecko/20060821 Firefox/1.5.0.7pre verified 1.8.0.7
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.7, fixed1.8.1verified1.8.0.7, verified1.8.1
Crash Signature: [@ nsSVGCairoRectRegion::Combine]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: